The Department of Homeland Security recently issued data security guidance to owners and operators of critical infrastructure. It applies to organizations whose networks have been compromised by a cyber-attack as well as to those who want to improve their network security preparedness; banks fit nicely into both categories.
The Department of Homeland Security is obviously not an enforcement agency, so it can't make companies follow its guidelines. Yet banks should pay close attention to the advice and take it to heart, according to Bill Stewart, a senior vice president who leads the Cyber Technologies Center of Excellence at Booz Allen. We asked Stewart what the guidelines mean for bank IT departments from a practical standpoint.
"The overall guidance is very good and very helpful," he says. "Even though it doesn't feel good that we're now realizing the extent to which corporations are exposed, the positive side is that folks are taking more initiative now to actually respond. There are a lot of technologies, processes, and procedures that can be done to help ourselves and make our infrastructure more secure."
The first surprising piece of advice in the guidelines (to us, anyway) is that in the event of a network break-in, companies should not immediately try to oust the intruder. "Organizations that suspect a compromise should first consider how to preserve forensic data and stop movement of the intruder through the network," the paper states. "While the tendency might be to first find and eliminate the intruder, unless adequate steps are taken to preserve data and prevent lateral movement, the recovery processes will not likely be successful."
This feels like an approach that would benefit the government in its nationwide security efforts more than it would help the victim. But according to Stewart, it makes sense on both sides.
"If I'm trying to defend my company and find something malicious, a natural reaction would be, let's get rid of it, let's take that computer offline and take all the software off and restart it," Stewart says. "The problem with that is the intruders, who are watching, know you found them and they now know to move to other places. So what you really have to do is watch them. It's a game of cat and mouse. Try to figure out where else they are, then do something in a well-coordinated way, rather than taking one computer down and re-imaging it, which is like putting a sign on the door announcing that you have found a breach."
There is a risk trade-off. "If you're bleeding dollars, you have to shut it down," Stewart acknowledges. "If there's damage occurring, you have to respond to the damage." But in a proper proactive hunt mode, it's possible to find the attackers and shut their whole operation down before the damage starts, he says.
Sophisticated adversaries such as nation-states embed malware in financial services networks that's often inactive for a long time in what are called advanced persistent threats. In such cases, there often is time for a bank's security or IT department to plan a broader counterattack.
The second broad recommendation of the report is that companies should use strong intrusion detection technology, which is commonplace on corporate networks.
What is that state of the art technology that will catch all malicious visitors to a network? "If we could build it, we would," Stewart notes. "Intrusion detection systems typically are about pattern matching, which is good stuff and you need it. However, that's the kind of thing the sophisticated adversaries can get around because they know what these IDSs are looking for, and when their new malware is detected, they don't use it any more. But you need to supplement the software by keeping analytics and humans in the loop."